Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including administrative settings. This allows a network attacker to take full control of a WDU. To initiate an exploit of this vulnerability, the victim must (1) be utilizing a web browser on a multihomed host that has local interfaces on the Garmin Marine Network as well as another network, and (2) access a malicious third party website created by the attacker.
AnalysisAI
Cross-site WebSocket hijacking in Garmin WDU v1 1.4.6 and v2 5.0 allows remote attackers to gain full administrative control of the marine network device. Exploitation requires the victim to browse a malicious website while connected to both the Garmin Marine Network and another network simultaneously. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, but CVSS 9.3 reflects severe potential impact when conditions are met - this is a high-impact, low-probability threat primarily relevant to maritime environments with dual-network configurations.
Technical ContextAI
The Garmin Wireless Display Unit (WDU) is a marine navigation display that operates a locally-served web interface for configuration and control. The vulnerability stems from CWE-352 (Cross-Site Request Forgery), specifically manifesting as cross-origin WebSocket hijacking. WebSockets, unlike traditional HTTP, do not enforce same-origin policy restrictions by default, requiring explicit origin validation by the server. The WDU's WebSocket endpoint accepts connections without validating the Origin header, allowing a malicious website to establish a WebSocket connection from the victim's browser to the local WDU interface. Since the browser automatically includes authentication cookies or credentials, the attacker gains authenticated access to administrative WebSocket commands used to control device settings.
RemediationAI
Contact Garmin support at https://garmin.com for firmware updates addressing CVE-2025-27851 - specific patched firmware version not independently confirmed from available data sources. Until patching is completed, implement network segmentation to isolate the Garmin Marine Network from general-purpose computing devices with internet access, preventing the dual-network prerequisite required for exploitation. Configure firewall rules to block outbound WebSocket connections from marine network interfaces to external networks. Disable the WDU's web management interface when not actively needed for configuration tasks. Deploy browser extensions or endpoint policies on multihomed systems to restrict WebSocket connections to trusted origins only. Note that network isolation is the most effective compensating control but may impact legitimate remote monitoring workflows if marine operators require simultaneous access to vessel networks and external resources.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209829
GHSA-frpq-7mr9-hx8p